How to Install Certbot SSL

Securing your website with HTTPS is no longer optional—it’s a necessity. Search engines like Google prioritize secure sites in rankings, modern browsers flag non-HTTPS sites as “Not Secure,” and users increasingly expect encrypted connections. One of the most reliable, free, and automated ways to obtain and install an SSL certificate is through Certbot, an open-source tool developed by the Electronic Frontier Foundation (EFF) in partnership with the Internet Security Research Group (ISRG), the organization behind Let’s Encrypt.

Certbot simplifies the complex process of acquiring and renewing SSL/TLS certificates. It automates domain validation, certificate generation, and server configuration across a wide range of web servers—including Apache, Nginx, and others—on Linux-based systems. Unlike paid SSL providers that require manual processes, Certbot delivers trusted certificates at no cost, with automatic renewal to ensure continuous protection.

This comprehensive guide walks you through every step of installing Certbot SSL on your server, from preparation to validation and long-term maintenance. Whether you’re managing a personal blog, an e-commerce storefront, or a corporate web application, following this tutorial will ensure your site remains secure, compliant, and search-engine optimized.

Step-by-Step Guide

Prerequisites

Before installing Certbot, ensure your server meets the following requirements:

• A domain name registered and pointing to your server’s public IP address via A or AAAA DNS records.
• A server running a supported Linux distribution (Ubuntu 20.04/22.04, Debian 11/12, CentOS Stream, or similar).
• Root or sudo access to the server.
• A web server (Apache or Nginx) installed and configured to serve content on port 80 (HTTP).
• Port 80 and port 443 open in your firewall (ufw, firewalld, or cloud provider security group).

Verify your domain’s DNS resolution by running:

dig +short yourdomain.com

Ensure the output matches your server’s public IP. If not, update your DNS settings and wait up to 48 hours for propagation (though typically it’s under 5 minutes).

Step 1: Update Your System

Always begin by ensuring your system is up to date. This reduces compatibility issues and ensures you’re installing the latest secure versions of dependencies.

On Ubuntu or Debian:

sudo apt update && sudo apt upgrade -y

On CentOS Stream or RHEL-based systems:

sudo dnf update -y

Step 2: Install Certbot

Certbot is available via package managers and the official Certbot repository. The recommended method is using the OS package manager for stability and automatic updates.

On Ubuntu 20.04/22.04 or Debian 11/12:

sudo apt install certbot python3-certbot-nginx -y

If you’re using Apache instead of Nginx:

sudo apt install certbot python3-certbot-apache -y

On CentOS Stream or RHEL 8/9:

sudo dnf install certbot python3-certbot-nginx -y

For Apache on RHEL-based systems:

sudo dnf install certbot python3-certbot-apache -y

If your distribution doesn’t include Certbot in its default repos, install it via snap (though this is discouraged on production servers due to sandboxing limitations):

sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Step 3: Configure Your Web Server

Certbot requires your web server to be accessible on port 80 during the domain validation process. It uses HTTP-01 challenge, which places a temporary file on your server that Let’s Encrypt’s servers fetch to verify domain ownership.

For Nginx:

Ensure your server block (virtual host) is configured to respond to your domain. Edit your Nginx config:

sudo nano /etc/nginx/sites-available/yourdomain.com

Verify it includes a server block similar to this:

server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
root /var/www/yourdomain.com/html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}

Test the configuration and reload Nginx:

sudo nginx -t
sudo systemctl reload nginx

For Apache:

Edit your virtual host file:

sudo nano /etc/apache2/sites-available/yourdomain.com.conf

Ensure it contains:

<VirtualHost *:80>
ServerName yourdomain.com
ServerAlias www.yourdomain.com
DocumentRoot /var/www/yourdomain.com/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Enable the site and restart Apache:

sudo a2ensite yourdomain.com.conf
sudo systemctl restart apache2

Step 4: Obtain and Install the SSL Certificate

Now that your server is configured and accessible, run Certbot to obtain the certificate.

For Nginx:

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

For Apache:

sudo certbot --apache -d yourdomain.com -d www.yourdomain.com

Certbot will prompt you to enter an email address for renewal notifications and security alerts. This is optional but highly recommended. You’ll then be asked to agree to the Let’s Encrypt Terms of Service. Type A to accept.

Next, you’ll be prompted whether to redirect HTTP traffic to HTTPS. Select 2: Redirect to enforce secure connections automatically. This is critical for SEO and user trust.

Certbot will automatically:

• Validate your domain via HTTP-01 challenge
• Generate the SSL certificate and private key
• Modify your web server configuration to include SSL directives
• Restart your web server to apply changes

Upon success, you’ll see output similar to:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yourdomain.com/fullchain.pem
- Your key file has been saved at:
/etc/letsencrypt/live/yourdomain.com/privkey.pem
- Your certificate will expire on 2025-03-15. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again.
- To non-interactively renew *all* of your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

Step 5: Verify SSL Installation

After installation, verify your SSL certificate is active and correctly configured.

Open your browser and navigate to https://yourdomain.com. You should see a padlock icon in the address bar. Click it to view certificate details, including the issuer (Let’s Encrypt), validity period, and domain coverage.

For a technical audit, use these free online tools:

• SSL Labs SSL Test – Comprehensive analysis of certificate, protocol support, and cipher strength.
• Check-Your-Website – Detailed report including HSTS, OCSP, and redirect chains.

Run a command-line check using OpenSSL:

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com

Look for “Verify return code: 0 (ok)” to confirm validity.

Step 6: Set Up Automatic Renewal

Let’s Encrypt certificates expire every 90 days. Certbot automatically creates a cron job or systemd timer to renew certificates before expiration.

Check if the renewal service is active:

On systemd-based systems (Ubuntu 20.04+, Debian 10+):

sudo systemctl list-timers | grep certbot

You should see an entry like:

Wed 2025-02-05 03:30:00 UTC  19h left   Tue 2025-02-04 03:30:00 UTC  1 day 19h ago  certbot.timer    certbot.service

Test the renewal process manually:

sudo certbot renew --dry-run

If the dry run succeeds, your renewal setup is working. No further action is needed. Certbot will automatically renew certificates within 30 days of expiration.

Best Practices

Use Strong Cipher Suites

While Certbot configures secure defaults, you can further harden your server by customizing cipher suites. For Nginx, edit your SSL configuration:

sudo nano /etc/nginx/sites-available/yourdomain.com

Add or update the SSL section:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

For Apache, use:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384
SSLHonorCipherOrder off

Always test your configuration after changes using SSL Labs.

Enable HTTP Strict Transport Security (HSTS)

HSTS forces browsers to connect via HTTPS only, preventing downgrade attacks. Add this header to your server configuration.

Nginx:

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

Apache:

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

After enabling HSTS, submit your domain to the HSTS Preload List for browser-level enforcement.

Secure Certificate File Permissions

Certbot stores private keys in /etc/letsencrypt/live/yourdomain.com/. Ensure only root can read them:

sudo chmod 600 /etc/letsencrypt/live/yourdomain.com/privkey.pem
sudo chown root:root /etc/letsencrypt/live/yourdomain.com/privkey.pem

Regularly audit permissions:

ls -la /etc/letsencrypt/live/yourdomain.com/

Monitor Certificate Expiry

Even with automatic renewal, set up monitoring. Create a simple script to check expiry dates:

!/bin/bash
DOMAIN="yourdomain.com"
CERT_PATH="/etc/letsencrypt/live/$DOMAIN/fullchain.pem"
EXPIRY=$(openssl x509 -enddate -noout -in $CERT_PATH | cut -d= -f2)
EXPIRY_TIMESTAMP=$(date -d "$EXPIRY" +%s)
NOW=$(date +%s)
DAYS_LEFT=$(( (EXPIRY_TIMESTAMP - NOW) / 86400 ))
if [ $DAYS_LEFT -lt 15 ]; then
echo "WARNING: Certificate for $DOMAIN expires in $DAYS_LEFT days"
Optionally send an email or log to monitoring system
fi

Schedule it weekly via cron:

sudo crontab -e

Add:

0 2 * * 1 /usr/local/bin/check-cert-expiry.sh

Avoid Mixed Content

After enabling HTTPS, ensure all resources (images, scripts, stylesheets) are loaded over HTTPS. Mixed content breaks security and triggers browser warnings.

Use browser DevTools (Network tab) to identify HTTP resources. Replace hard-coded URLs:

• Change http://yourdomain.com/image.jpg to https://yourdomain.com/image.jpg
• Or use protocol-relative URLs: //yourdomain.com/image.jpg

For CMS platforms like WordPress, update the site URL under Settings > General and use plugins like “Really Simple SSL” to enforce HTTPS.

Use DNS Validation for Complex Setups

If your server isn’t publicly accessible on port 80 (e.g., behind a load balancer or CDN), use DNS-01 challenge with Certbot and a DNS plugin:

sudo certbot certonly --dns-cloudflare -d yourdomain.com -d www.yourdomain.com

Requires installing the appropriate plugin (e.g., python3-certbot-dns-cloudflare) and configuring API credentials.

Tools and Resources

Official Certbot Documentation

The definitive source for installation guides, troubleshooting, and advanced configurations is the official Certbot website:

• https://certbot.eff.org/ – Interactive tool to select your server and OS for tailored instructions.

Let’s Encrypt Certificate Transparency Logs

Monitor certificate issuance for your domain to detect unauthorized issuance:

• https://crt.sh/ – Searchable database of publicly issued certificates.

SSL/TLS Configuration Generators

Use these tools to generate secure, up-to-date server configurations:

• Mozilla SSL Configuration Generator – Choose between “Modern,” “Intermediate,” or “Old” compatibility levels.
• Hardenize – Automated security scoring and recommendations.

Monitoring and Alerting Tools

Automate certificate monitoring beyond manual checks:

• UptimeRobot – Free SSL certificate expiry alerts.
• Prometheus + Blackbox Exporter – Self-hosted monitoring for enterprise environments.
• Datadog – Commercial platform with SSL monitoring dashboards.

Command-Line Utilities

Essential tools for SSL diagnostics:

• openssl – Inspect certificates, test connections, generate CSRs.
• curl – Test HTTPS responses: curl -I https://yourdomain.com
• ssllabs-scan – CLI version of SSL Labs: ssllabs-scan yourdomain.com (install via GitHub)

Community and Support

For troubleshooting, consult:

• Let’s Encrypt Community Forum – Active community with expert contributors.
• Server Fault – Stack Exchange site for sysadmins.
• Certbot GitHub Issues – Report bugs or request features.

Real Examples

Example 1: WordPress Site on Ubuntu 22.04 with Nginx

Scenario: A small business runs a WordPress blog on a VPS. The site is slow and flagged as “Not Secure” in Chrome.

Steps taken:

1. Updated Ubuntu: sudo apt update && sudo apt upgrade
2. Installed Nginx and WordPress (LAMP stack replaced with LEMP).
3. Configured Nginx server block for example.com and www.example.com.
4. Installed Certbot: sudo apt install certbot python3-certbot-nginx
5. Run: sudo certbot --nginx -d example.com -d www.example.com
6. Selected “Redirect HTTP to HTTPS” when prompted.
7. Verified SSL via SSL Labs: Score A+.
8. Installed “Really Simple SSL” WordPress plugin to fix mixed content.
9. Added HSTS header in Nginx config.

Result: Page load speed improved by 32% due to HTTP/2 support enabled by SSL. Google Search Console reported zero security errors. Organic traffic increased by 18% over 60 days.

Example 2: API Backend on CentOS Stream with Apache

Scenario: A fintech startup hosts a REST API on a private server. They need TLS for client authentication.

Steps taken:

1. Installed Apache and configured virtual host for api.company.com.
2. Opened ports 80 and 443 in firewalld.
3. Installed Certbot: sudo dnf install certbot python3-certbot-apache
4. Obtained certificate: sudo certbot --apache -d api.company.com
5. Configured Apache to require TLS 1.2+ and disable weak ciphers.
6. Set up automatic renewal via systemd timer.
7. Created a script to notify developers 30 days before expiry.

Result: API clients report 100% successful TLS handshakes. Compliance with PCI DSS and SOC 2 requirements achieved.

Example 3: Multi-Domain Setup with Wildcard Certificate

Scenario: A SaaS platform hosts multiple subdomains (app.domain.com, api.domain.com, admin.domain.com) and wants a single certificate.

Steps taken:

1. Used DNS-01 challenge with Cloudflare API.
2. Installed python3-certbot-dns-cloudflare plugin.
3. Created ~/.secrets/certbot/cloudflare.ini with API key.
4. Issued wildcard certificate: sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d *.domain.com -d domain.com
5. Configured Nginx to use the same certificate across all subdomains.
6. Automated renewal with a custom script that reloads Nginx after renewal.

Result: Single certificate covers all subdomains. No need to manage multiple certs. Renewals are fully automated.

FAQs

Is Certbot free to use?

Yes. Certbot is completely free and open-source. The SSL certificates it issues are provided by Let’s Encrypt at no cost. There are no hidden fees, subscription models, or upsells.

How often do Certbot certificates expire?

Let’s Encrypt certificates are valid for 90 days. Certbot automatically renews them before expiration—typically 30 days in advance—so you don’t need to manually intervene.

Can I use Certbot on Windows?

Certbot does not officially support Windows. However, you can use alternative tools like win-acme (ACME client for Windows) to obtain Let’s Encrypt certificates on IIS servers.

What if Certbot fails to validate my domain?

Common causes include:

• DNS records not pointing to the server.
• Firewall blocking port 80.
• Web server misconfiguration (e.g., incorrect DocumentRoot).
• Redirects or caching interfering with the challenge file.

Check the logs: sudo tail -f /var/log/letsencrypt/letsencrypt.log for specific error messages.

Can I use Certbot with a CDN like Cloudflare?

Yes, but you must configure it correctly. If Cloudflare’s proxy is enabled (orange cloud), Certbot’s HTTP-01 challenge will fail because the request goes to Cloudflare, not your server.

Solutions:

• Temporarily pause Cloudflare proxy (gray cloud) during issuance.
• Use DNS-01 challenge with Cloudflare API (recommended for production).

Does Certbot work with shared hosting?

Most shared hosting providers do not allow root access or custom server configuration, making Certbot incompatible. However, many providers (e.g., SiteGround, Kinsta, Bluehost) now offer free Let’s Encrypt certificates through their control panels. Use their built-in tools instead.

Can I install multiple certificates on one server?

Yes. Certbot can issue and manage certificates for multiple domains and subdomains. Run sudo certbot --nginx -d domain1.com -d domain2.com to issue a certificate covering both. Each domain will be stored in its own directory under /etc/letsencrypt/live/.

What’s the difference between Certbot and Let’s Encrypt?

Let’s Encrypt is the certificate authority (CA) that issues the actual SSL certificates. Certbot is the client software that communicates with Let’s Encrypt to request, install, and renew those certificates. Think of Let’s Encrypt as the factory and Certbot as the delivery truck.

Is Certbot secure?

Yes. Certbot is developed and maintained by the Electronic Frontier Foundation and is widely trusted by millions of websites. It uses industry-standard ACME protocol and encrypts all communication with Let’s Encrypt servers. Always download Certbot from official sources to avoid malicious forks.

Can I use Certbot for internal domains or IP addresses?

No. Let’s Encrypt only issues certificates for publicly resolvable domain names. Internal domains (e.g., internal.local) or IP addresses cannot be validated. For internal use, consider self-signed certificates or a private PKI.

Conclusion

Installing Certbot SSL is one of the most impactful technical decisions you can make for your website. It enhances security, improves search engine rankings, builds user trust, and ensures compliance with modern web standards—all at zero cost. The process, while technical, is streamlined and automated by Certbot, making it accessible even to those with limited server experience.

By following this guide, you’ve not only secured your site with a trusted SSL certificate but also implemented best practices for long-term maintenance: automatic renewal, HSTS enforcement, cipher hardening, and monitoring. These steps ensure your site remains secure for years to come, even as threats evolve.

Remember: SSL is not a one-time setup. It’s an ongoing responsibility. Regularly check your certificate status, monitor for mixed content, and stay informed about updates to TLS standards. With Certbot, you’ve taken the most important step—automating the tedious parts so you can focus on what matters: delivering value to your users.

Now that your site is secure, consider auditing your site’s performance with tools like Lighthouse or WebPageTest. HTTPS opens the door to modern web features like HTTP/2, service workers, and push notifications—all of which can further elevate your site’s speed and user experience.